IRS Disables Hacked PIN Tool

The U.S. Internal Revenue Service says it's temporarily deactivated an online security feature after it discovered that it was being abused by identity thieves attempting to profit from tax return fraud.

The feature in question is a six-digit number that the IRS calls the Identity Protection PIN, or IP PIN, which it rolled out to
prevent criminals from filing fraudulent income tax returns simply by using someone else's Social Security number.

But as part of an ongoing security review, the IRS says it has now discovered and blocked at least 800 cases that appear to involve criminals who were able to obtain legitimate IP PINs tied to tax filers' accounts, and warned that it's facing up to 130,000 fraudulent returns.

As a result, on March 7, the IRS announced that it temporarily disabled the ability to use its website "to try retrieving a lost or forgotten IP PIN." The agency's move suggests - although doesn't state explicitly - that attackers abused that feature to obtain valid PIN codes tied to victims' IRS accounts.

To use the PIN-retrieval feature, users needed to answer four "personal, financial and tax-related questions to verify your identity," according to a related IRS FAQ. Of course, if criminals already have that information, they could successfully impersonate taxpayers.

The IRS says that of the 2.7 million IP PINs that it's distributed for the 2016 tax-filing year - tax returns are due next month - there were 130,000 subsequent attempts, using the IRS website, to retrieve those PINs. It's not clear how many of those attempts were fraudulent.

Identity Theft, Fraud Review

All returns that are tied to PINs that were retrieved via the IRS website will now be subject to close scrutiny, the agency says, suggesting that some percentage of them will have been filed by fraudsters.

"For taxpayers retrieving a lost IP PIN, the IRS emphasizes it has put strengthened processes and filters in place for this tax season to review these tax returns," the agency says. "These strengthened review procedures - which are invisible to taxpayers - have helped detect potential identity theft and stopped refund fraud. Through the end of February, the IRS had confirmed and stopped 800 fraudulent returns using an IP PIN."

Disabling of the online PIN-retrieval feature shouldn't impact most tax filers, the IRS claims. "Taxpayers who have been issued an IP PIN should continue to file their tax returns as they normally would. The online tool is primarily used by taxpayers who have lost their IP PINs and need to retrieve their numbers. Most taxpayers receive their IP PIN via mail and never use the online tool."

But as a result of the online PIN-retrieval feature no longer being available, the IRS says that anyone who's been instructed to file a return using an IP PIN, but who's forgotten their PIN - or lost the related letter they should have received from the IRS - will need to call the agency and attempt to verify their identity. If that fails, or if they've moved since Jan. 1, 2016, "they must file a paper tax return, which will receive additional scrutiny and take longer to process because we don't normally accept these returns without an IP PIN," the agency says.

Follows 'Get Transcript' Hack

As noted, the agency has only discovered 800 instances of related tax-return fraud - thanks to subverting the online IP PIN tool - so far. While that might not seem like a significant number of cases, as many breach-related investigations continue, investigators often find that the scope and scale of the data breach is much worse than was originally believed.

In May 2015, for example, the IRS warned that fraudsters had successfully subverted the agency's "Get Transcript" feature to obtain legitimate tax returns, thus giving them access to 114,000 real tax filers' tax returns, which include their Social Security numbers and other personal information, including financial details. The IRS first launched the feature in January 2014 to allow taxpayers to view and download their tax transcripts, or have them mailed to their addresses.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;